Last week, we posted to say that iTunes Plus files seem to exhibit some strange variations above and beyond the widely reported fact that they contain the purchaser's name and email address/Apple ID. We've since had time to look at these files more closely, and we can say a little more about what's going on inside.
Firstly, the most interesting hypotheses turn out to be false. There aren't any watermarks in the compressed data; in fact, the compressed segments are identical across multiple copies of the same track. The large variation in size that we observed between two different iTunes Plus purchases of the same track turned out to be because one file contained two copies of the cover art: a quality 93 600x600 JPEG, and a quality 100 600x600 JPEG. This is a little odd, but it probably results from iTunes having cached a cover for the whole album before the track was purchased, and is unlikely to double as a tracking mechanism (inadvertent or otherwise).
Secondly, the odd tables we mentioned last week are not all that interesting. They're tables of pointers into the compressed audio data, so that players can find different parts of the track (stco tables). When the file is offset by the inclusion of an extra JPEG in the headers, all the pointers change.
While there are no watermarks, there are some other interesting fields that are likley to have privacy implications. In particular, there is a 1024 bit variant field labeled sign and a 630 byte variant field labeled chtb. These are unique for every combination of user and track we've seen. Neither of these fields existed in the FairPlay DRMed .m4p tracks that Apple has been selling in the past.
It's best to assume that either the sign or chtb field could be used by Apple to identify the user who purchased a track (that would be true if Apple logs what it writes in these fields, or if sign is, as it seems, a cryptographic signature). It's also safe to assume that they can be used to tell the difference between real and forged names / Apple IDs in tracks.